Posted
by
Zonk
on Saturday March 03, 2007 @08:30PM
from the hole-in-the-argument dept.

NewYorkCountryLawyer writes "The online community now has an opportunity to see the fruits of its labor. Back in December, the Slashdot ('What Questions Would You Ask an RIAA Expert?') and Groklaw ('Another Lawyer Would Like to Pick Your Brain, Please') communities were asked for their input on possible questions to pose to the RIAA's 'expert'. Dr. Doug Jacobson of Iowa State University, was scheduled to be deposed in February in UMG v. Lindor, for the first time in any RIAA case. Ms. Lindor's lawyers were flooded with about 1400 responses. The deposition of Dr. Jacobson went forward on February 23, 2007, and the transcript is now available online (pdf) (ascii). Ray Beckerman, one of Ms. Lindor's attorneys, had this comment: 'We are deeply grateful to the community for reviewing our request, for giving us thoughts and ideas, and for reviewing other readers' responses. Now I ask the tech community to review this all-important transcript, and bear witness to the shoddy investigation and junk science upon which the RIAA has based its litigation war against the people. The computer scientists among you will be astounded that the RIAA has been permitted to burden our court system with cases based upon such arrant and careless nonsense.'"

I'm a Computer Engineer and a Professional Engineer. If I testify in legal proceedings, I am required to adhere to specific professional standards. My certifying body takes our legal obligations fairly seriously. A customer would be wise to hire properly licensed engineers for matters involving legal responsibility and/or large contracts. Amongst other requirements, licensed engineering firms require liability insurance, so if things go bad, the customer has some recourse. We also have ethical standards constraining what we can say or do.

10 A. This tells me that there was -- yes.11 There was no router.12 Q. How does it tell you that there was13 no router?14 A. Through the two --15 If you look at the second chunk down,16 you will see the source address at the top and you17 will see the KaZaA IP address midway through that,18 and they match and they are both public IP19 addresses.20 Q. You said they match?21 A. Uh-huh. The 141.155.57.198.22 Q. That's the source?23 A. And then down below you see the KaZaA24 IP?25 Q. Yes.2 A. It's those two IP addresses.3 Q. What does the first number indicate?4 A. The first number of the IP address?5 Q. Yes.6 No. The second line of that chunk7 that says "source." What does that indicate?8 A. That is the source address. That is9 where the packet came from.10 Q. Now we go down to the next line you11 referred to, it says "KaZaA IP." What does that12 refer to?13 A. That is the IP address that the KaZaA14 software is running on, the IP address of the15 computer that the KaZaA software is running on.

Some routers share their IP public addresses with a DMZ computer.

If the defendant's wireless router did that and a attacker across the street took over her router and made his laptop into a DMZ it would lead to this scenario. Kids, always secure your routers... unless you want to eliminate the best "but it wasn't me, honest" excuse the world has to offer.

I'm currently studying for the spring Fundamentals of Engineering exam (FE). After taking this exam and working in the field of engineering for 5 years, you can take the Professional Engineering (PE) exam. Its not the easiest test in the world, and its a big pain in the arse. That said, I think a computer science student would have a particularly hard time with it. The morning session (general) is composed of several subjects including chemistry, strengths of materials, physics, thermodynamics, fluid mechanics, a small ethics session, etc. Basically all engineering knowledge known up to 1935, updated to the modern day. Everyone has to take the general session, and I think Comp sci students would struggle with it.

The afternoon session is a choice between mechanical, electrical, civil, (chemical?) engineering. I think maybe comp sci students could take the electrical and do fairly well on this half. The PE exams are very similar (identical?) to the FE exams, but it has been 5 years since you have been in a classroom so they are considered harder just for this reason.

As for the term "Computer Engineer"; in the 1800s a group of very smart men began doing different things with Natural Philosophy. They were so different that they thought they needed a new title for what they did to separate themselves from the natural philosophers. Eventually they went with the title "scientists". Perhaps a new title is needed for "computer engineers" because it doesn't seem to fit very well.

I would expect my licensing body would get annoyed with me if I spent "45 minutes" (Page 54) drafting a report that was used as part of litigation. They expect that Professional Engineers check our facts so as not to mislead a jury. This avoids sequences of questions like that from Page 42, where the witness essentially admits:

a) he did not look for alternative explanations,

b) he did not check how accurate his findings were (potential rate of error),

c) he has no standards or controls,

d) he is not using published methods accepted by the scientific community, and

e) has no way of determining if the information given to him was correct.

It is considered a substantial problem if a Professional Engineer misleads a jury, as it can pervert justice. As such, it is very important for the legal duties be taken seriously and with the required standards of care.

This "expert" does not appear to be very well versed with Windows, and that should be pointed out, with a bright green laser pointer. He says that there is no indication of what DHCP address the computer had, but that is not entirely accurate.

Both 9x and NT-based variants keep information about DHCP address assignments in the registry, so that they can attempt to request their previous IP address after a startup. Specifically, in NT-based systems, you can look under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\Tcpip\Parameters\Interfaces" to see a list of interfaces that Windows has available, and under each one of those, there exists a REG_SZ value, aptly named "DhcpIPAddress", which includes, in plain ASCII text in dotted-quad notation the last DHCP address handed to the box by the DHCP server at the IP specified by the "DhcpServer" REG_SZ value. Older entries could potentially exist under the "ControlSet001" and "ControlSet002" keys, both of which are backups.

While this method is by no means bulletproof, it could potentially disclose the last IP address the computer obtained from a particular DHCP server and that would not only be useful, but perhaps even relevant information.

As I interpret it, the summary is that the guy inspecting the hard drive appeared to have no formal qualifications, his methods were not peer reviewed, he was unaware of the exact methods and procedures of the software he had been using to identify the user or examine the hard drive, he could not testify that although media appeared to be shared it had actually been downloaded by any person (other than the software looking for copyright material), although he examined the disk he didn't actually document any of his findings, that he was not aware if the time of IP address allocation and the IP address to account lookup that Verizon did was actually correlated/synchronized, that he was unaware of Verizons' procedure for looking up such data and if it was free of human and/or mechanical errors, that he didn't know what the IP allocation time was or how many times this dynamic IP address had been allocated that day, that he himself teaches classes involving spoofing, that there were 3 user accounts on the hard drive that he examined, and that, assuming the information from Verizon was accurate, he had no way to actually show which particular person had been using the computer. Further, he conceded that it was possible to compromise and control a computer remotely over the Internet, and that he had not investigated if this had actually occurred. A document was also referred to in which it was shown that P2P applications often scan users hard drives and share media on installation, and many P2P users are not aware of which files on their computer are shared, even when their whole drive may be shared, including personal documents. It was also stated that P2P applications can run in the background, e.g. in the system tray, perhaps without the users knowledge.

There was some tenuous discussion of how MAC addresses are used (to which I am not certain I completely agree, but I'm not an expert), and again on how the correlation of two address fields in a Kazaa packet shows that the computer was connected directly to the Internet and not through a router. Again, there was nothing to show that the computer connected to the Internet at the time actually belonged to the Verizon account holder, because no MAC address was recorded and in fact he didn't have access to anything except the hard drive (although personally I would expect Windows records this in the registry, which he did examine and didn't document). In any case, he did say that MAC addresses could be spoofed.

Most interesting for me was that as the examiner, he had been asked purely to find out if Kazaa and MP3 files were present, and he seemed to followed that direction, failing to look for any materials (e.g. malware, remote control apps, etc.) that could possibly have assisted the defense.

Re: objections in depositions, they're hardly uncommon. There's no judge present, and it would be nightmarish if you constantly had to bother the judge over every little thing. So if you feel you need to object, you just do it, and it's in the record, and everyone proceeds. If the objection is sustained later, then it can affect how much of the deposition remains. It generally doesn't indicate that things are tense, rather it indicates that the rules of evidence are somewhat technical and that it's important to preserve an objection lest it be lost by not objecting in a timely fashion. So by and large, it's just how these things go.

The lawyer was making those objections because that's how these things work, for better or worse. In these situations, lawyers attend depositions assigned specifically to object to anything remotely objectionable in order to preserve their objections in the future (because otherwise they are lost). If something really damaging happened in one of the answers to an objected question, those lawyers could then bring up the fact that they objected at the time and wouldn't be hosed by failure to preserve the issue. In many cases it's just wasting time, but in the event something goes ill in your deposition, you'll thank your lawyers for so protecting you.

A couple of things:
1) A Deposition is an alternative to a witness appearing in Court (or at least to keep the amount of time he'll have to appear in court) down. It's just the two lawyers, plus a Court recorder, who takes down what they say and reads the questions back for the witness.
2) Objections are almost always to the form of a question, rather than to any particular legal issue: Generally a witness will answer practically all questions, and their admissability will be determined later by the Judge. The endless objections are a way of ensuring that any answer that the plaintiff's lawyer doesn't want on the record can be challenged before the Judge on some ground (any ground), usually on the basis that the question was designed to solicit a particular response (a leading question), the question was confusing to the witness (compound questions), or that the question wasn't related to the stated reason the witness was being examined (questions without foundation).
3) These objections have a surprisingly high strike-rate, considering that they're sprayed like confetti during a deposition.
Hope that clears things up
(IANAL... I'm much much worse, a law student:) ) Obviously this doesn't constitute legal advice, and it's just the kind of advice you could get from any man off the street, I don't purport to nor to I actually have any experience or specialist knowledge.... Ass covered

There seems to be a common misconception, that I noted in the testimony, that you have to use one of the reserved IP address ranges on the LAN side of a NATed router. In fact, you can use any address at all (I do). The only downside to this practice is if you eventually have to move the NATed host(s) to the WAN side, they need to be re-addressed - and of course, that only applies to hosts with statically assigned IPs.

In other words, by looking at the IP address contained in the payload, there's no way to tell that it was behind a NAT router or not simply because the IP address was not in a reserved range.

Secondarily, since the computer interface IP address is in the packet payload, that is data that is being sent by an application. The application (whatever it was that was communicating with the P2P network) may:

- lie. It could be a hacked version of a P2P standard application,- allow user configuration of the IP address in the payload (if I remember correctly, some seem to),- be broken. I assume all versions of all applications that communicate on the indicated P2P network were not vetted for their proper functioning.

So would a PE software engineer lose his license if he made software with numerous bugs?

No, not so long as the bugs a) weren't serious in their consequences, and b) the system failed gracefully without seriously damaging any data. Just the same as a professional structural engineer. If (for example) the construction crew slightly screws up the sand mix in the concrete in one section, it is expected of the engineer to have spec'd the building such that it won't simply collapse as a result. Engineering is often about planning for bad things to happen and mitigating the effects by design.

The evidence in this case doesn't even make it to the standard of "hearsay" not to mention the fact that the plaintiff lawyer appears to be highly inexperienced with Turets syndrome and keeps blurting "Objection to form."

It's late, and it's been a while since I've done this stuff, so I imagine someone else can do this better, but there's no post up yet.

Rules of evidence (no reference to policy, just rules). Law often works in layers, for example, something likeso:- General rule: Everything relevant is admissible.
- Exception to the general rule: Hearsay: Oral statements by a person other than the one giving the testimony is inadmissible.
- Exception to the Hearsay rule: (obviously not applicable, here, but for example) Statements of a murder victim identifying their murderer can be admitted by someone who overheard them prior to the victim's death.

There are more exceptions, and exceptions to the exceptions (esp. in evidentiary rules). But the logic is generally like that.

So, to wit:The statements of the expert are admissible, as to his/her expert opinion, and their awareness in information and belief, if they are relevant.Oral statements by the expert about what someone else said are inadmissible under the hearsay exception to the general rule, even if they are relevant.Unless such oral statements were (per the rule-example above) made by the victim of a murder, and identify the murderer (in which case they are de facto relevant).

In this case, much of the evidence is documentary, and admissible under the general rule. Only the oral statements of others would be inadmissible under the hearsay rule in this expert's testimony. (As I understand the rules of evidence as they probably apply here)

Not that the meaning of your statement was in any way wrong in the lay-sense. But just thought it might be interesting to lay out, as it pertains to this case, in the legal sense (as far as I might grasp such a critter and be halfway able to portray it).

I gotta say that at least based on probability, I have to go with the RIAA on the matter of whether there was a NAT. The internal/external IP address match is significant; not bullet-proof (it can be spoofed), but probability does suggest that there was no NAT in this instance. Besides that, someone with the knowledge to spoof that would have a reason for doing it; if you can think of a reason somebody would spoof it in that particular way (apart from trying to intentionally incriminate innocent people), feel free to share.

Under Federal Rules of Evidence and applicable caselaw expert testimony is admissible only if it meets certain standards. Dr. Jacobson's testimony meets none of those standards and will not be admissible.

This guy may know a bit of programming, but this kind of stuff makes it pretty clear to me that he has no idea how people can and do manipulate information. It's pretty clear to me that he's done little more than investigate only those things which might support their case and has completely ignored anything which might cast doubt upon it.

And even there, there is a workaround that can be employed with the use of a 3rd party that doesn't block incoming connections (though I haven't heard of any P2P protocols currently use this method in the wild).

Skype (which, coincidentally, was written by the same people who wrote Kazaa) uses some of those workarounds to punch through NAT firewalls. I do not know if Kazaa uses them, but the authors of Kazaa could have certainly done so.

The point of all this being, you can share files, without accepting inbound connections. You can download files from others without accepting inbound connections. And you can participated in the P2P network (communications, searches, etc) and all of the above, without your P2P program knowing your public IP address.

But P2P works better if it has access to your public IP address, and you can accept inbound connections. Hence some P2P applications will complain if they detect that they are NATed and ask for your public IP. Some will auto-detect you public IP. Others will not only autodetect your public IP, but if you have a UPNP-capable router, will automatically detect or otherwise set up appropriate holes in you NAT firewall (later versions of Azeurus do this, I believe) to forward inbound connections. And, as aforementioned, Skype uses NAT-busting techniques to bypass setting up proper forwarding rules altogether. Skype's ability to get past firewalls is actually somewhat frightening...

Although the original design of the internet was based on the assumption of a static one-to-one mapping of computers to IP addresses, this is not the case today. DHCP means that the mappings are not static, and NAT means that the mapping isn't one-to-one (indeed, a sufficiently sophisticated NAT setup could be many-to-many, although such would be unusual). Even MAC addresses aren't really unique--it is quite common to set up interface failover by spoofing the MAC address of the failed NIC. Identifying a computer uniquely is a very tricky process--the common means of doing so rely on these broken assumptions. The uncommon means (specifically, searching for evidence of clock drift in timing parameters) are, well, not commonly used, and have higher false positives (due to sensitivities to temperature and the low precision of clock drift measurements). And none of this can be used to show that a particular person was doing anything at any point in time.

From my limited experience with expert testimony, many expert witnesses, although experts in their field, are not experts at being witnesses. It's a way for a university professor to pick up more money on the side with easy consulting work, especially if hired by a petitioner under the expectation of a weak defense by the respondent. In such a case, speed and cheapness are prized above thoroughness and accuracy, and actually being deposed by a lawyer who has been prepped on the sorts of questions to ask would be quite the surprise. Dr. Jacobson appears to have been caught with his pants down, giving a slap-dash report which is clearly biased in favor of the side which hired him. Although he isn't a member of any regulatory body, I would be surprised if he wasn't a member of the ACM or the IEEE Computer Society, and in violation of their respective codes [acm.org] of ethics [ieee.org] (specifically, ACM 1.2, 1.3, and 2.5, and IEEE 2, 3, 7, and 9).